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METHOD AND SYSTEM FOR PROVIDING AUTHENTICATION OF A MOBILE 
TERMINAL IN A HYBRID NETWORK FOR DATA AND VOICE SERVICES 

Cross Reference to Related Applications 

The present application claims the benefit of the filing date of U.S. 
provisional patent application serial no. 60/372,529, attorney docket no. 29981.37, 
filed on 15 April, 2002. 

5 

Technical Field 

The invention relates in general to voice and data communications, and in 
particular to a system and method to conduct authentication in a hybrid wireless 
network. 

10 

Background Information 

A typical wireless network is composed of two sub-networks: a Radio 
Access Network (RAN) which handles radio related issues such as assigning radio 
resources to a mobile terminal (or "mobile" in short) upon request for services, and 

15 a Core Network (ON) which links the mobile user to wireline networks. Current 
specifications of wireless networks require that the RAN and CN have the same 
wireless technology in order to provide wireless services. These networks may be 
referred to as "homogeneous networks." For instance, a GSM mobile will only 
operate in a wireless networi^ which its RAN and CN are both GSM wireless 

20 technology based. Fig. 1 illustrates a GSM wireless networic 100 composed of a 
GSM RAN 102 and a GSM CN 104. 

The GSM RAN 102 includes a GSM Mobile Station (MS) 106 that 
communicates to a GSM Base Station System (BSS) 108 through a GSM radio 
channel 110. The GSM BSS 108 includes a GSM Base Transceiver Station (BTS) 

25 110 and GSM Base Station Controller (BSC) 1 1 2. 

The GSM Core Network (CN) 104 includes a GSM Mobile Switching Center 
(MSC) 120 that is connected to the GSM BSC 1 12 as well as a GSM Gateway 
MSC (GMSC) 122 by using SS7 ISUP communications 124. The GSM GMSC 
122 is also connected to the Public Switclied Telephone Network (PSTN) 126 by 
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using SS7 ISUP communications 124. In this figure, a teieplione 128 is sinown to 
be connected to tlie PSTN as an illustration of a calling/called party. In addition, a 
Serving General Packet Radio Service Node (GPRS) (SGSN) 130 is shown to 
also be connected to the GSM BSC 112. Moreover, a GSM Short Message 
5 Service Center (SMS-C) 1 32, a GSM Home Location Register (HLR) 1 34 and a 
GSM Authentication Center (AuC) 136 are all shown to be connected the GSM 
MSC 120 and the SGSN 130. Further, a GSM Service Control Point (SCP) 138 
connects a GSM Billing System 140 to the GSM MSC 120 and the GSM HLR 134. 
The connection from the GSM Billing System 140 and the GSM MSC 120 utilizes 

10 IP. Additionally, a Packet Data Network (PDN) 142 is shown connected to the 
GSM CN 104 through a Gateway GPRS Node (GGSN) 144 utilizing IP 
communications. 

A disadvantage of this configuration is that, given many wireless 
technologies that exist today and considering new ones being defined for the 

15 future, this Is a serious limitation in the wireless service provision to deal with a 
situation in which a mobile compatible with one wireless technology moves into a 
wireless network of different technology. Such a configuration prevents the mobile 
from getting services and limits the mobile's geographical sen/Ice area to networks 
that support a specific wireless technology. The same limitation applies to 

20 wireless networks that are CDMA wireless technology based. 

Fig 2 illustrates such a CDMA2000 based network 200. The CDMA2000 
RAN 201 includes a CDMA2000 MS 202 connected to a CDMA2000 BSS 204 
through a CDMA2000 BTS 206. The CDMA2000 BTS 206 is In turn connected to 
a CDMA2000 BSC 208, which connects to a Packet Control Function (PCF) 210. 

25 The CDMA2000 CN 212 connects to the CDMA2000 RAN 201 by the 

CDMA2000 BSC 208 connecting to the CDMA200 MSC 214. The CDMA2000 
MSC 214 Is connected to an IS-41 SMS-C 216, an IS-41 HLR 218, an IS-41 AuC 
220 and an IS-41 SCP 222. The IS-41 SCP 222 in turn is also connected to the 
IS-41 HLR 218 and a Store and Fonvard Service 224, which In turn is connected 

30 to an IS-41 Billing System 226. In addition, a Packet Data Serving Node (PDSN) 
228 is connected to the PCF 210 of the CDMA2000 RAN 200 and a PDN 230. 
Moreover, the CDMA2000 MSC 214 connects the CDMA2000 CN 212 to the 
PSTN 232 and a phone 234. 
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A hybrid wireless network Is a wireless network composed of a RAN and a 
CN of different technologies linked. Fig. 3 illustrates such a hybrid wireless 
network 300 including a GSM CN 302, which may be in communication with a 
GSM RAN 304 and/or a CDMA RAN 306. The RAN 304 and 306 communicate 
5 with the CN 302 through a Hybrid Mobile Switching Center (HMSC) 308. This 
networic architecture presents a large advantage In deployment speed and cost 
reduction over the traditional homogeneous wireless networks discussed 
previously. One of the problems solved Is to enable a mobile temninal in one of 
the RANs 304 or 306 and certain network entitles In the CN 302 to exchange 

1 0 message contents without being obstructed by the differences in the technologies 
involved (e.g., message encoding and decoding schemes). 

For example, in most wireless networks, wireless services are granted to a 
mobile after It is authenticated. This process is known as the authentication of a 
mobile. Different wireless technologies use different procedures and algorithms 

15 to perform such an authentication process. For instance, a CDMA mobile 
operating in a CDMA network generates authentication parameters which are 
quite different from those generated by a GSM mobile operating in a GSM 
network. There are currently no known solutions to provide authentication of £i 
mobile operating In a hybrid wireless network. 

20 What Is needed, therefore, is a method and system for providing a solution 

to pass information and parameters to and from a mobile in a hybrid wireless 
networi< in which the RAN technology Is CDMA2000 1xEV-DO before the 
authentication or other procedures requiring certain infonmation from the network 
is invoked. 

25 

Summary of the Invention 

The present disclosure provides a method and system for passing 
infomnation required by a wireless procedure In a hybrid wireless network before 
the procedure Is Invoked, the hybrid wireless networic having at least one radio 
30 access network based on a first technology and a core network based on a 
second technology. The hybrid networic implements a special mobile switching 
center to be a "double agent" passing information between the mobile terminal 
and entities in Its core networic. In the context of messaging, the message 
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contents may be encoded, packaged, and decoded appropriately. The present 
disclosure does not introduce any changes to telecommunication standards such 
as the GSM and CDMA standards governing the messaging process. 

5 Brief Description of tiie Drawings 

Fig. 1 illustrates a GSM wireless network architecture for providing services 
to a mobile user. 

Fig, 2 illustrates a CDMA2000 wireless network architecture for providing 
services to a mobile user. 
10 Fig. 3 illustrates a hybrid wireless network architecture with a hybrid Mobile 

Switching Center comprising a RAN using GSM, a RAN using CDMA2000 1xEV- 
DO, and a RAN using CDMA2000 1xRTt wireless technology, and a CN using 
GSM wireless technology. 

Fig. 4 is a call flow diagram illustrating a successful authentication of a 
15 mobile operated in a CDMS-2000 1xEV-DO RAN and a GSM CN. This figure 
provides details complementary to Fig. 5. 

Fig. 5 is a call flow diagram illustrating a failed authentication of a mobile 
operated in a CDMS2000 IxEV-DO RAN and a GSM CN. This failure results in 
denial of service. 

20 Fig. 6 is a call flow diagram illustrating a failed authentication of a mobile 

operated in a CDMS2000 1xEV-DO RAN and a GSM CN. This failure does not 
result in denial of service. 

Fig. 7 is a call flow diagram illustrating another failed authentication of a 
mobile operated in a CDMS2000 1xEV-DO RAN and a GSM CN. This failure 
25 does not result in denial of service. 

Fig. 8 is a call flow diagram illustrating authentication when the mobile 
roams into a GSM RAN. 

Fig. 9 is a call flow diagram illustrating authentication when the mobile 
roams Into a CDMA2000 IxEV-DO RAN. 
30 Fig. 10 is a call flow diagram illustrating authentication when the mobile 

roams Into a GSM1x RAN. 



4 
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Detailed Description of the invention 

Fertile purposes of the present disclosure, various acronyms are used, the 
definitions of which are listed below: 



1 xEv-DO Single carrier evolution, data only 

5 1xRTT Single carrier evolution, radio transmission technology 

ANSI-41 American National Standards Institute - Cellular Radio 
Telecommunications Intersystem Operations 

AuC Authentication Center 

BSC Base Station Center 

10 BSS Base Station System 

BTS Base station Transceiver System 

CDMA Code Division Multiple Access 

CHAP Challenge Handshake Authentication Protocol 

CN Core Network 

15 GMSC Gateway MSC 

GSM Global System for Mobile communications 

HLR Home Location Register 

IP internet Protocol 

IMSI International Mobile Subscriber Identity 

20 IS41 Wireless Network conforming to the IS41 standard 

ISDN Integrated Services Digital Network 

ISUP ISDN User Part (of SS7) 

Kc Ciphering Key 

Ki Subscriber authentication key 

25 MSC Mobile Switching Center 

PSTN Public Switch Telephone Network 

RAN Radio Access Network 

RAND RANDom Value 

SCP Signalling Control Point 

30 SMS-C Short Message Service Center 

SRES Signed RESponse or Signature Response 

SS7 Signaling System No.7 

T1 Digital communication line that uses time division multiplexing 

5 
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with an overall transmission rate of 1 .544 million bits per 
second. 

TCP/IP Transmission Control Protocol/Internet Protocol 
VLR Visitor Location Register 

5 Various aspects of the present invention provide a unique system 

and method for providing authentication of a mobile device In a hybrid wireless 
networi<. This patent application is based off of US Provisional Patent 60/372.529 
which is hereby incorporated by reference In its entirety. It is understood, 
however, that the following disclosure provides many different embodiments, or 

1 0 examples, for Implementing different features of the invention. Specific examples 
of components, signals, messages, protocols, and arrangements are described 
below to simplify the present disclosure. These are, of course, merely examples 
and are not intended to limit the Invention from that described in the claims. 
Well-known elements are presented without detailed description in order not to 

15 obscure the present Invention in unnecessary detail. For the most part, details 
unnecessary to obtain a complete understanding of the present invention have 
been omitted inasmuch as such details are within the skills of persons of ordinary 
skill in the relevant art 

Fig. 3 illustrates a wireless network architecture utilizing a Hybrid Mobile 

20 Switching Center (HMSC) 308 to connect a CDMA2000 1xEV-DO RAN 306, a 
GSM RAN 304, and a CDMA2000 1xRTT RAN 307 to the GSM CN 302. In this 
example, the HMSC 308 has a centralized call control model for voice and packet 
data calls. This module allows the HMSC 308 to handle and keep track of all calls 
for a given mobile phone. In contrast, in a traditional GSM MSC or a CDMA MSC 

25 the call control for data and voice are located in different network entitles. In this 
example embodiment, setting-up and controlling a voice or a data call for a 
mobile user is performed at the HMSC 308. 

The example network architecture shown In Fig. 3 illustrates a hybrid 
network utilizing certain aspects of the present invention. The illustrative network 

30 provides both voice and packet data services to mobile stations In either of the two 
networi<s. For instance, in the GSM RAN 304, a GSM mobile unit 310 
communicates with a GSM BTS 312 over a GSM radio link 314. The GSM BTS 
312 typically communicates with a GSM BSC 316 using a wired link 318. The 
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BTS 312 and BSC 316 comprise a base station system or BSS 317. In tiie 
illustrative embodiments, the HMSC 308 cximmunicates witli the GSM BSC 316 
over a voice link using an SS7 ISUP protocol and over a data link using a Gb 
interface. 

5 Similarly, in the CDMA2000 IxEV-DO RAN 306, a CDMA2000 mobile 

phone 320 communicates with a CDMA 1xEV-DO BTS 322 over a CDMA radio 
link 324. The CDMAIxEV-DO BTS 322 typically communicates with a CDMA 
BSC 326 using a wired link 328. Typically, for voice communications, the CDMA 
BSC 326 communicates with the HMSC 308 over a link 330 using a variety of 

1 0 protocols, including A1 , A2, A5, A8, and A9. The CDMA BSC 326 transfers data 
to a PCF 332 over a link 334 using A8 and A9 protocols. Thus, data is usually 
sent by the PCF 332 to the HMSC 308 over a link 336 using the A10 and A1 1 
protocols. 

Similarly, in the CDMA2000 IxRTT IRAN 307, a CDMA2000 mobile phone 

1 5 364 communicates with a CDMA IxRTT BTS 366 over a CDMA radio link 368. 
The CDMAIxRTT BTS 366 typically communicates with a CDMA BSC 370 using 
a wired link 372. Typically, for voice communications, the CDMA BSC 370 
communicates with the HMSC 308 over a link 374 using a variety of protocols, 
including A1. A2. A5, A8, and A9. The CDMA BSC 370 transfers data to a PCF 

20 377 over a link 376 using A8 and A9 protocols. Thus, data is usually sent by the 
PCF 332 to the HMSC 308 over a link 378 using the A10 and A1 1 protocols. 

If the core network is a GSM network, as in the illustrative networic 300, the 
HMSC 308 communicates with the other GSM network components in much the 
same way a typical MSG would communicate with the GSM network components. 

25 For instance, the HMSC 308 may establish links with a GMSC 340, a SCP 342, an 
HLR 344, a AuC 346, a PDN 347, a GGSN 348, and/or a SMS-C 350. Similarly, 
the GMSC 340 may communicate with a PSTN 352 through a T1 link 354 using a 
SS7 ISUP protocol. The SCP 342 may establish a link 356 with a billing system 
358, and the GGSN 348 may establish a link 360 with the PDN 347, where the 

30 links 356 and 360 uses an IP protocol. Thus, for each connection. Fig. 3 

illustrates an example link and the corresponding communication protocol used to 
allow communication between typical network entities. As those skilled in the art 
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would recognize, similar communication links may be established if tiie CN 302 
were a CDMA network. 

Thus, for calls established with the GSM mobile 310, the HMSC 308 acts 
like a GSM MSG 110 as depicted in Fig. 1. For calls established with the 
5 CMDA2000 mobile 320. the HMSC 308 links the CDMA RAN 304 to the GSM CN 
302 by translating and mapping CDMA RAN messages initiated in the RAN 304 
Into GSM CN messages sent to the CN 302, and GSM messages initiated by the 
CN 302 into CDMA messages sent to the RAN 306. 

The HMSC 308 can support voice and packet data call services from 

1 0 mobiles in any type of RAN to any other type of network. For instance the mobile 
310 in the GSM RAN 304 can make a call to another mobile (not shown) operating 
in the CDMA RAN 306, a telephone 362 connected to the PSTN 352, or an entity 
as part of the PDN 347 and other networks that are not illustrated nor discussed 
in this disclosure for reasons of simplicity and clarity. The HMSC 308 is shown in 

16 communication with two RANs of different technologies, however as would be 

clear to one skilled in the art, the present invention also applies in situations where 
the HMSC 308 is in communication with one or more RANs of same technology. 

Wireless services are granted to a mobile phone after the mobile phone is 
"authenticated." Different wireless technologies use different procedures and 

20 algorithms to perfonn such an authentication process. For instance, the GSM 
mobile phone 310 operating in the GSM RAN 304 generates authentication 
parameters which are different from those generated by the CDMA mobile phone 
320 operating in the CDMA RAN 306. Thus, one aspect of the present invention 
solves this problem by providing for a method of authentication of a mobile 

25 terminal in a hybrid wireless network, the hybrid wireless network having at least 
one radio access network (RAN) based on a first technology (e.g. CDMA) and a 
core network (CN) based on a second technology (e.g., GSM). Generally, the 
method comprises: requesting a registration of the mobile terminal from the RAN; 
passing predetermined parameters for the authentication by the CN through a 

30 HMSC to the mobile terminal using messages conforming to the first technology, 
the parameters conforming to the second technology; invoking an authentication 
process by the mobile terminal using the passed parameters; and informing the 
HMSC of the CN for the authentication of the mobile terminal. 
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A one-way hash function generates a fixed-length number output - called 
the hash value - given an arbitrary input. Secure one-way hash functions have 
the character that it is unfeasible to determine their input given their output. A 
key-dependent one-way hash function requires a key to calculate the hash value 
5 from the Input. A typical use of a key dependent secure one-way hash function 
would be to verify the authenticity of a communicating entity. For instance, if entity 
A and entity B both know a private key and a key dependent secure one-way hash 
function, entity A can verify the authenticity of entity B by sending an arbitrary 
input to B and requesting entity B to return the hash value of this input calculated 

1 0 using the mutually known key dependent secure one-way hash function and the 
mutually known private key. Upon receiving the hash value from entity B, entity A 
calculates the hash value for itself and compares its hash value to the hash value 
from entity B. If the hash values are identical, entity A knows entity B is authentic, 
because only entity A and entity B know the private key (or others trusted by A 

1 5 and B to share the knowledge of the private key) and this is essential to 

calculating the correct hash value. If a spurious entity B' were to attempt to pass 
itself off as the true entity B it would fail the authentication because it would not 
know the private key and hence could not calculate the appropriate hash value. 
As is known in the art, a GSM authentication checks the validity of the 

20 subscriber's subscriber identification module (SIM) card and then decides 

whether the mobile station should be allowed on a particular networic. In a typical 
GSM networic, the authentication process begins when a BSS/MSCA/LR sends 
the RAND and a GSM Cipering Key sequence ("Kc"), to the mobile unit. The SIM 
card in the mobile unit uses the RAND, its own private identifier Ki, and the A3 

25 key-dependent secure one-way hash function to generate a signed response 
(SRES), which is then sent back to the BSS/MSCA/LR. The BSS/MSCA/LR 
compares the value of SRES received from the AuC with the value of SRES it has 
received from the mobile station. If the two values of SRES match, authentication 
is successful and the subscriber joins the network 

30 This simple GSM authentication scenario does not cover ail practical 

scenarios of authentication in a hybrid network given that the RAN technologies 
are not always the same as the CN technology. There are special cases to 
consider including roaming from a RAN of a first type of technology into a RAN of 
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a second type of technology, roaming from a RAN of a second type of technology 
into a RAN of a first type of technology. Given that the CN only accepts GSM- 
based authentication parameters, a method is needed to pass the GSM-based 
parameters between the mobile and the CN over any type of RAN technology. In 

5 addition, the present invention introduces a new concept to achieve the 

appropriate goal. By doing so, scenarios as failed authentication using correct 
values of RAND (in which case service is denied), and failed authentication using 
incon'ect values of RAND (in which retry procedures are invoked) are considered 
as well. All of these cases will be discussed in detail below. 

1 0 Fig. 4 illustrates an authentication call flow diagram 400 for a mobile in the 

hybrid network composed of a CDMA2000 1xEV-DO RAN 306 and a GSM CN 
302. In the illustrative embodiment, the participants in the call flow are the Hybrid 
MSG 308, the 1xEV-DO BSS 329, the MS 320, and the SIM 402. While the GSM 
HLR 344 and GSM AuC 346 do not participate in this call flow, they do participate 

1 5 in related call flows and are shown in Fig. 4 for completeness. Step 404 

represents a link control protocol (LCP) negotiation between the MS 320 and the 
1xEV-DO BSS 329. A LCP is used to establish, configure, and test the link 
communication. Establishment of the link involves each end of the link - the MS 
320 and the BSS 329 - negotiating various link options. In step 406 the 1xEV-DO 

20 BSS 329 sends a message to the MS 320 to initiate authentication (e.g., in the 
forni of a challenge handshake authentication protocol (CHAP) challenge 
message). The SIM 402 may use previously stored values of RAND and Kc as 
well as the internally stored value of Ki in the A3 function to calculate the SRES. 
Note that in GSM standard, Kc and RAND are sent from the CN to the mobile 

25 upon authentication request. In one aspect of the present invention, a new 
concept is introduced where the RAND and Kc are sent to the mobile during a 
previous authentication procedure. In step 408 the MS 320 sends a message 
encapsulating authentication parameters including the value of RAND, the 
international mobile subscriber identity associated with the MS 320, the calculated 

30 SRES value, and the value of Kc to the 1xEV-DO BSS 329 (e.g., in the fonm of a 
CHAP response message encapsulating parameters including 
name='GSMIMSI@operator.com' and CHAP Password='SRES&RAND&Kc'). In 
step 410 the IxEV-DO BSS 329 sends a message encapsulating autiientication 
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parameters including tiie value of RAND, the international mobile subscriber 
identity associated with the MS 320, the calculated SRES value, and the value of 
Kg to the Hybrid MSG 308 (e.g., in the form of an Access Request message 
encapsulating parameters including username='GSM IMSI' and Passwd = 'SRES 

5 & RAND & KC). The Hybrid MSG 308 may use the IMSI, RAND, and Kc 
parameters to index into a local database to retrieve a stored SRES value to 
compare with the SRES parameter which is passed in from the 1xEV-DO BSS 
329. If the Hybrid MSG 308 SRES value agrees with the passed In value of 
SRES, the MS 320 is authenticated. In step 412 the Hybrid MSG 308 sends a 

1 0 message encapsulating new values of RAND and Kc to the 1xEV-DO 329 (e.g. in 
the form of an Access Accept message). In step 414 the IxEV-DO BSS 329 
sends a message encapsulating new values of IRAND and Kc to the MS 320 (e.g. 
in the form of a CHAP success message encapsulating new values of RAND and 
Kc). The MS 320 may store new values of RAND and Kc for future use in 

15 authentication procedures. 

Turning to Fig, 5, a failed authentication operation is depicted. Step 502 is 
the LGP negotiation between the MS 320 and the IxEV-DO BSS 329. In step 504 
the 1xEV-D0 BSS 329 sends a message to the MS 320 to initiate authentication 
(e.g., in the form of a challenge handshake authentication protocol (GHAP) 

20 challenge message). The SIM 402 uses previously stored values of RAND and Kc 
as well as the internally stored value of Ki in the A3 function to calculate SRES. In 
step 506 the MS 320 sends a message encapsulating authentication parameters 
including the value of RAND, the international mobile subscriber identity 
associated with the MS 320, the SRES value the SIM 402 calculated, and the 

25 value of Kc to the 1 xEV-DO BSS 329 (e.g., in the fomn of a CHAP response 
message encapsulating parameters including name='GSMIMSI@operator.com' 
and CHAP Password='SRES&RAND&Kc'). In step 508 the 1xEV-DO BSS 329 
sends a message encapsulating authentication parameters including the value of 
RAND, the Intemational mobile subscriber Identity associated with the MS 320, the 

30 SRES value the SIM 402 calculated, and the value of Kc to the Hybrid MSG 308 
(e.g., In the form of an Access Request message encapsulating parameters 
Including usemame='GSM IMSI' and Passwd = 'SRES & RAND & Kc'). The 
Hybrid MSG 308 may use the IMSI, RAND, and Kc parameters to Index into a 
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local database to retrieve a stored SRES value to compare with the SRES 
parameter which is passed in from the 1xEV-DO BSS 329. In this case the Hybrid 
MSG 308 SRES value disagrees with the passed in value of SRES, and the IVIS 
320 is not authenticated. In step 510 the Hybrid MSC 308 sends a message to 
5 the 1xEV-DO 329 (e.g., In the form of an Access Reject message). In step 512 
the IxEV-DO BSS 329 sends a message denying access to the IVIS 320 (e.g.. in 
the fomn of a CHAP failure message). Note that no new RAND and Kc values are 
passed from the Hybrid MSC 308 back to the MS 320. 

Turning now to Fig. 6, a failed authentication operation is depicted. Step 

10 602 is the LCP negotiation between the MS 320 and the IxEV-DO BSS 329. In 
step 604 the 1xEV-DO BSS 329 sends a message to the MS 320 to initiate 
authentication (e.g., in the form of a challenge handshal^e authentication protocol 
(CHAP) challenge message). The SIM 402 uses previously stored values of 
RAND and Kc as well as the internally stored value of Ki in the A3 function to 

15 calculate the SRES. In step 606 the MS 320 sends a message encapsulating 
authentication parameters including the value of RAND, the international mobile 
subscriber identity associated with the MS 320, the SRES value the SIM 402 
calculated, and the value of Kc.to the 1xEV-DO BSS 329 (e.g., in the form of a 
CHAP response message encapsulating parameters including 

20 name='GSMIMSI@operator.com' and CHAP Password='SRES&RAND&Kc'). In 
step 608 the 1xEV-DO BSS 329 sends a message encapsulating authentication 
parameters including the value of RAND, the international mobile subscriber 
identity associated with the MS 320, the SRES value the SIM 402 calculated, and 
the value of Kc to the Hybrid MSC 308 (e.g., in the form of an Access Request 

25 message encapsulating parameters including username='GSM IMSl' and Passwd 
= 'SRES & RAND & Kc'). The Hybrid MSC 308 may use the IMSl, RAND, and Kc 
parameters to index into a local database to retrieve a stored SRES value to 
compare with the SRES parameter which is passed in from the 1xEV-DO BSS 
329. In the scenario illustrated in Fig. 6 the values RAND and Kc are not found. 

30 In step 610 the Hybrid MSC fetches one or more new RAND, Kc. and SRES value 
triplets from the GSM HLR 344 and AuC 346. In step 612 the Hybrid MSC 308 
sends a message encapsulating new values of RAND and Kc to the IxEV-DO 329 
(e.g., In the fomn of an Access Reject message encapsulating new values of 

12 
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RAND and Kc). In step 614 the IxEV-DO BSS 329 sends a message 
encapsulating new values of RAND and Kc to the MS 320 (e.g., in the fomi of a 
CHAP failure message encapsulating new values of RAND and Kc). The MS 320 
may store new values of RAND and Kc for future use in authentication 
5 procedures. The MS 320 will retry authentication with the new RAND and Kc 
values. 

Turning now to Fig. 7, a failed authentication operation is depicted. Step 
702 Is the LCP negotiation between the MS 320 and the IxEV-DO BSS 329. In 
step 704 the 1xEV-DO BSS 329 sends a message to the MS 320 to initiate 

10 authentication (e.g., in the fonri of a challenge handshake authentication protocol 
(CHAP) challenge message). The SIM 402 uses previously stored values of 
RAND and Kc as well as the internally stored value of Ki in the A3 function to 
calculate SRES. In step 706 the MS 320 sends a message encapsulating 
authentication parameters including the value of RAND, the intemational mobile 

1 5 subscriber identity associated with the MS 320, the SRES value the SIM 402 
calculated, and the value of Kc.to the IxEV-DO BSS 329 (e.g.. in the form of a 
CHAP response message encapsulating parametei^ including 
name='GSMIMSI@operator.com' and CHAP Password='SRES&RAND&Kc'). In 
step 708 the IxEV-DO BSS 329 sends a message encapsulating authentication 

20 parameters including the value of RAND, the intemational mobile subscriber 

identity associated with the MS 320. the SRES value the SIM 402 calculated, and 
the value of Kc to the Hybrid MSC 308 (e.g., In the form of an Access Request 
message encapsulating parameters including usemame='GSM IMSI' and Passwd 
= 'SRES & RAND & Kc'). The Hybrid MSC 308 may use the IMSI, RAND, and Kc 

25 parameters to index into a local database to retrieve a stored SRES value to 
compare with the SRES parameter which is passed in from the 1xEV-D0 BSS 
329. In the scenario illustrated in Fig. 7 there are no RAND, Kc, and SRES triplet 
stored in the Hybrid MSC 308. In step 710 the Hybrid MSC fetches one or more 
new RAND. Kc, and SRES value triplets from the GSM HLR 344 and AuC 346. In 

30 step 712 the Hybrid MSC 308 sends a message encapsulating new values of 

RAND and Kc to the IxEV-DO 329 (e.g., in the form of an Access Reject message 
encapsulating new values of RAND and Kc). In step 714 the 1xEV-DO BSS 329 
sends a message encapsulating new values of RAND and Kc to the MS 320 (e.g., 

13 
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in the form of a CHAP failure message encapsulating new values of RAND and 
Kc). The MS 320 may store new values of RAND and Kc for future use in 
authentication procedures. The MS 320 will retry authentication with the new 
RAND and Kc values. 
5 Turning now to Fig. 8 we have an illustrative call flow for mobile 

authentication when the mobile roams into a GSM RAN. In this case the MS 320 
changes mode to GSM mode. Now the standard GSM authentication procedure 
applies. In step 802 the Hybrid MSG 308 sends an authentication request 
message bearing RAND and Kc parameters to the GSM BSS 317. The GSM BSS 

10 317 fonwards this authentication request to the MS 320 The SIM 402 uses the 
RAND and Kc which were received by the MS 320 in the authentication request 
message as well as the internally stored value of Ki in the A3 function to calculate 
the SRES. The MS 320 sends an authentication response message bearing the 
calculated SRES value to the GSM BSS 317. The GSM BSS 317 forwards this 

15 authentication response message to the Hybrid MSG 308. The SRES value sent 
by the MS 320 is compared to the SRES value stored in the VLR at the Hybrid 
MSG 308. If the values match, authentication succeeds. 

Turning now to Fig. 9 we have an illustrative call flow for mobile 
authentication when the mobile roams into a IxEV-DO RAN. In this case the 

20 mobile changes mode to IxEV-DO mode, and then the authentication scenarios 
are similar to those already described by Fig. 4 through Fig. 7. 

Turning now to Fig. 10 an illustrative call flow is shown for mobile 
authentication when the mobile roams into a GSM1x RAN. GSMIx is a later 
version of GSM. In this case the mobile changes mode to GSMIx mode, and then 

25 the authentication proceeds according to standard GSMIx authentication 
scenarios. 

In the present disclosure, the messages CHAP Response and Access 
Request are used to carry the necessary GSM information from the mobile to the 
network, and the message Access Accept, Access Reject, CHAP Success, and 
30 CHAP Failure are used to carry the information from the network to the mobile. In 
this patent application "pass-through messages means that the information 
encapsulated in these messages is carried transparently over the IxEv-DO RAN. 
That is, none of the entities in the RAN act upon the information encapsulated In 
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these messages, but simply forward them to the next entity until the mobile is 
reached or the HMSC is reached. In this patent application "encapsulate" means 
to intercalate information within a message, thereby to make the message carry 
information additional to the mere message type. In this patent application the 

5 term "packaging" may be used in the same sense defined above for the term 
"encapsulate," and hence "packaging" and "encapsulating" may substitute for one 
another from place to place in this patent application. 

The above disclosure provides many different embodiments, or examples, 
for implementing the disclosure. However, specific examples, and processes are 

10 described to help clarify the disclosure. These are, of course, merely examples 
and are not intended to limit the disclosure from that described in the claims. For 
instance, even if a CHAP Challenge message and procedure is used to describe 
the disclosure, the present disclosure still applies to any scenario or event that can 
occur in the wireless network and that causes the mobile or the network to initiate 

15 the authentication procedure. 

Additionally, although a dual-mode mobile that can support voice and 
packet data is used to describe the disclosure, the present disclosure still applies 
to any multi-mode mobile. Additionally, GSM and CDMA are used as examples to 
describe the disclosure. It is understood that the disclosure still applies to any 

20 authentication scenario between two wireless networks that have the same CN 
technology but different RAN technologies. 

The present disclosure as described above thus provides an economical 
method and system for providing an authentication solution to a multi-mode 
mobile operating in a hybrid networic. The present disclosure does not introduce 

25 any changes to the GSM and CDMA standards that define the protocols used to 
communicate between all network entities. Also, the disclosure does not introduce 
any change to any entity between the HMSC and the mobile. 

In addition, the present disclosure provides a cost effective solution given 
that it does not introduce any change to existing architectures in the RAN and CN. 

30 This is a significant advantage for a network operator or service provider because 
there is no need for investing capital in upgrading existing equipment. The 
migration of the services to be supported by the new network can be achieved in a 
much shorter time and at a lower cost The method and system described in the 
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present disclosure increases the wireless coverage to operators exponentially, 
speeds up deployment phase, nninimizes deploynaent expenses, eliminates core 
network operation expenses and provides higher quality of service for the mobile 
end user, therefore attracting more subscribers to operators. 

5 Also, the present disclosure presents a solution to deploy a new radio 

technology Into wireless networks without introducing any change to the core 
network. This creates a huge advantage for network operators that looking to 
expand their wireless service coverage of a new radio technology. The present 
disclosure needs very low cost and short deployment time considering that the 

10 core network does not have to be changed whatsoever. By deploying a new radio 
technology over an existing core network of existing technologies, major 
advantages are achieved at the radio access network such as higher bit rates. 
Other advantages are higher network capacity and increase in spectrum efficiency 
on the radio which leads to the ability of supporting larger number of subscribers 

15 and introducing better quality of service to the mobile user end. This means 

providing larger service coverage area and higher revenues to network operators. 

Moreover, because no changes are made to the existing core network, the 
present disclosure allows the delivery of all existing CN services to any mobile in 
its serving area. 

20 It will also be understood by those skilled In the art that one or more 

(including all) of the elements/steps of the present disclosure may be implemented 
using software and hardware to develop the HMSC, which will then be deployed in 
a wireless network at appropriate locations with the proper connections. 
Furthermore, while the disclosure has been particularly shown and 

25 described with reference to the preferred embodiment thereof, it will be 

understood by those skilled in the art that various changes in form and detail may 
be made therein without departing from the spirit and scope of the disclosure, as 
set forth in the following claims. 

30 
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